March 29, 2024

Let's stop Nigerian scams once and for good

A personal friend of mine’s Yahoo account was recently hacked by a Nigerian scammer. I know this because the email I got (“I’m stuck in the Philippines and need you to wire money”) had an IP address in a “Received” header that pointed squarely at Lagos, Nigeria. The modus operandi of these scammers is well understood. They erased my friend’s address book to make it harder to contact friends and family and alert them. The email they sent out also had a “Reply-To” field that directs subsequent conversations to a Hotmail account of the same username. I bantered back and forth with the scammer, but wasn’t able to accomplish much of interest before Hotmail abuse staff, who I concurrently notified, shut down the account. Now my friend has to clean up the mess left behind by the scammer.

I’ve exchanged some email with industry insiders, and it seems that these scammers are constantly changing their tactics, making it difficult to automatically squash them. Much like spammers, these scammers are adept at staying one step ahead.

Despite this, one thing really stood out: this specific scammer kept on about the importance of sending money via Western Union. Please wire some money immediately. Every email. I’m reminded of the great work the UCSD crew have been doing on spam, where they notably found that a small number of credit card merchant banks were enabling the bulk of the payments for Viagra, fake Rolex watches, and the like. Shut down those merchant banks, and the spammers’ business model collapses.

My Nigerian scammer gave me a seemingly legitimate street address for a Western Union office in Manilla, but they can pick up the money anywhere in the world. All they need is the “money transfer control number” (MTCN). There’s no need for them show any form of ID. Shocking idea: Western Union can single-handedly destroy this market by changing how they operate. How?

  • Allow the sender of money to specify the destination country or a specific Western Union office.
  • Allow the sender to require the recipient to present identification.
  • Allow the sender to include a photograph of the recipient, which the remote office will validate.

These sorts of methods would raise the bar against scammers, but wouldn’t defeat scammers operating with a collaborating Western Union agent (e.g., one getting a share of the profit). The only way to really stop this is to change the business model. Currently, according to Western Union’s FAQ, “If the receiver has already picked up the funds, this money is gone and we won’t be able to refund your money.” Western Union should be required to insure all money senders against the recipient being a scammer. Once the sender figures out they’ve been scammed and can offer some modicum of proof (e.g., a statement from Hotmail that an account was shut down because it was controlled by a scammer), Western Union should be obligated to refund the money. Of course, Western Union and other such services would be horrified by such a requirement. Too bad! The onus should be on Western Union and other such services to invent technologies or procedures (such as my bullet points above) to defeat scammers, and they should protect their money-sending clients against fraudulent recipients just like credit card companies protect their customers against fraudulent merchants.

Give Western Union and other such services an incentive to solve this problem on their own, by placing the onus of liability on them, and they’ll come up with creative ways to fix the problem, up to and including refusing to do business in countries like Nigeria where the scammers seem to operate with impunity. This entire class of scamming attack will be dealt a mortal blow. Of course, there will always be other ways to move money around, but it’s fundamentally much harder for the scammers to find new ways to move cash than it is for them to find new ways around spam and phishing filters. Western Union: you’re the choke point. Get on it.

Comments

  1. Nathan T. says

    Really? What would be an incentive for Western Union to do anything you suggested. It would be good business practice from a security standpoint, but really bad business practice in every other way, and mostly bad for the all mighty dollar.

    Western Union makes money on every transaction, regardless of if it is a scam or not. Most such transactions are scams, so Western Union would take a huge hit on all their revenues if they shut the scams down. They don’t want to shut the scams down.

    How many people really need to wire money to someone they actually know? It happens, but not with as much frequency as WU needs to operate their business. If they shut the scams down, they shut themselves down. If they shut down, the few who need such services won’t have it.

    Thus, they rationalize with themselves it is better to operate a business that allows scams to occur and still provides a needed service, than to go out of business leaving the need unfilled. So, they try to play the good guy with advertising and education materials regarding how to not be a victim of the scams, all the while happily collecting the money from the scam transactions.

    No, the best way to stop the scammers would be to stop falling prey to scams. But, in this world where everyone has a “get rich quick” mentality, people fall all over themselves for the “opportunity” to be victims of a scam.

  2. Bryan Feir says

    And a lot of this ties back to Bruce Schneier’s comments about externalities. A lot of fraud of various sorts happens because it’s an externality to the people in the best position to actually put a stop to it: it doesn’t affect them directly, so they have little incentive to spend money and effort to do anything about it.

  3. We can get most of the world’s payment processors to stop doing business with Wikileaks, but not with scammers? Hmm.

  4. Aleks Totic says

    My 80+ mother-in-law got scammed recently. It was the Jamaican Lottery Scam. They were creative in finding ways to get the money out: Fedex’d checks, reading numbers from pre-paid credit card, no Western Union. I was amazed at their ability to get her to do stuff. I know that getting my mother-in-law to do anything is tricky, and these guys, just using the phone, had her running all over town, withdrawing money, making shipments.

    I think Western Union is just the easy way, block it, and they’ll come up with something else.

    It was a hard scam to stop. We changed her phone, bank accounts, forwarded all mail. She lives in senior housing. They kept calling the front desk pretending they were her friends, relatives, correctly faking caller ID. They called anyone else with the same last name. They sent a taxi cab to pick her up to go visit her daughter. We are still unsure how they guessed her new phone number, but they did.

    A security service I’d happily pay for: senior security lockdown. A secure credit card, checking account, phone, email, mailbox address. All of these services would come with extra serving of security. Credit card would only accept charges from pre-approved users, checks would have to be approved by 2nd party, phone calls would be recorded, email cc’d and read. Basic service would have caretaker do the checking/approval manually, premium service would outsource.

    • Dan Wallach says

      I don’t want to make light of your mother-in-law, but I hope that most people would be less likely to fall for such a runaround, and by restricting one of the major conduits for cash, we could make a big dent in their business. You do raise an interesting point that some people are just more susceptible to being victimized than others, and that at least some of the scammers out there are quite talented. (My Nigerian “Philipino” scammer, not so much.)

      Senior security lockdown. I see a startup opportunity. (Or an ingenius new angle for a scammer.)

      • Aleks Totic says

        Wires accounted for 41% of scam payments methods (1). I think most of the people that fall for this stuff are quite gullible.
        I wish I was one of those inspiring startup guys that gets lots of others excited to do the real work, I’d start “Secure Senior” in a heartbeat. If anyone else wants to do it, I’d be happy to supply angel money and a test subject.

        (1) http://www.nclnet.org/images/PDF/ncl%202011%20top%20scams%20report.pdf

  5. John Millington says

    If people could form a sufficently-strong consensus that it’s a good idea to force Western Union to give back the money, they could also form a consensus that it’s a bad idea to fall for these scams. I realize not everyone can be educated, but nevertheless the education bar is _super_ low on this one.

    The reason WU has convenient unauthenticated money transfers, is that sometimes people _want_ convenient unauthenticated money transfers, just like sometimes we like to use cash. If you make it so that WU is required to authenticate, then you’re just going to remove the convenience and increase the cost. People will have to find other ways to do whatever they formerly did with Wester Union. Then the exceptional case that we allowed to dominate the conversation (scammers) will adapt to request money through _those_ channels (e.g. “We can’t use Western Union here; please send me a bitcoin”).

    The same goes for assigning blame to one of the other innocent facilitators in the scam (Yahoo’s mail), since apparently sometimes we like the convenience of single-factor authentication to email services. Make them more expensive or harder to use, and the “lazy” people who use it, will just go somewhere else, followed by their parasites.

    For that matter, you didn’t really go into depth as to exactly _how_ his account was “hacked” so for all we know, if we’re going to pains to make someone other than the users are left holding the bag (*), then the blame trail still hasn’t been fully followed. Blame the people whose overflow bug allowed the keyboard sniffer to be installed which was used to get the yahoo password, or blame the people whose database got stolen which had the yahoo email address associated with the plaintext reused password, or blame the .. the problem is so vast and interconnected. Singling out Western Union seems arbitrary; they were just one link in a chain. I think they’re just convenient.

    (*) And that can’t happen, because whoever is left holding the bag, will just pass their expenses on to their users anyway. So then all WU users would pay for it, instead of the one user who could have, and should have, just said no. Some expenses, beyond peoples’ control, should be shared. But is this really one of them?

  6. Western Union and others are turning a blind eye because of one thing. Profits. They are profiting off these scammers and they don’t want to damage that revenue stream. If their marketers were creative they would up-sell a verification service and have the customer pay a little more for the peace of mind. That way they can offer a way to reduce the rate of scamming while also making a buck.

  7. Rob Belcher says

    I don’t see any justification or rationale at all for holding Western Union responsible for the lost money. All they can reasonably insure is that they delivered the money as requested. If someone tricks you into FedExing cash to them under false pretenses, do you get to collect from FedEx?

    I think you’d be more successful with the kind of moral suasion approach that finally made Craigslist stop accepting prostitution ads that often aided human traffickers. WU is profiting from this theft and should be persuaded to stop abetting these scammers, but they should not be held liable for performing their service as advertised.

    I agree that at the very least WU should offer the option to require ID, and I don’t think it would be useless/obscure to infrequent customers.

  8. Joseph Bonneau says

    I’m not sure that shifting liability onto Western Union is the answer-it could just mean the end of WU if its business model can’t afford to eat costs for a large number of transactions that went bad. In the West perhaps a common association with WU is fraud, but I’ve traveled in many places where it’s the only financial services option in town and it really saved me. They have outlets around the world in many otherwise under-served markets, which are not profitable for full-fledged banks to operate in that would assume more liability.

    I also think your suggestion for WU to add sender-initiated options is flawed. Assuming most scam victims rarely or never use WU, they may not be aware of these options or could be convinced by a scammer to skip them. The scammer has a fundamental advantage in “Lost in London” scams because they’re plausibly requesting that the victim use a financial channel they rarely otherwise use. Scammers could relatively easily switch to something else, and then simply tell victims that the new system is the only option for wherever they are stuck.

    • Dan Wallach says

      If WU had liability, they’d be creative in inventing mechanisms to help. I have no idea what their fraud rate would be afterward (or what it is today), but that’s what the fee they charge should cover. And, of course, they should be incentivized to innovate in the anti-fraud department to reduce the fees. Today, they can post all the warnings and do all the consumer education they want, but they’re still putting the onus on their customers, rather than assuming it themselves.

      I don’t want to suggest that we should regulate WU exclusively. Any regulation for WU could and should apply to their competition as well. Yeah, sure, the Nigerian scammers could say that the only way to get money to the “Lost in London” victim is by buying BitCoins and doing an appropriate transaction, but the fact is that such a thing would trip most people’s BS meter. (“Uncle Bob has no clue what BitCoins are. Must be a scam!”) And, in my proposed regulatory universe, the BitCoin transfer companies would assume the same liability as I’m proposing for WU.

      • Joseph Bonneau says

        Your point about regulating all competition to WU is the critical one. I think that’s very hard, because they don’t have much direct competition but they have indirect competition. For example, sending remittances is a major use of WU (perhaps their golden goose), and there are a number of startups like TransferWise trying to undercut them on price there. I’m assuming the authentication with TransferWise is no better and that scammers could switch to them (or whomever eventually undercuts them again). There will always be a market for very cheap, non-reversible money transfers with lots of incentive to evade regulations.

        Another technical point-it may be naive to assume the WU agency on the receiver end is trustworthy. Many of them are small, independent local shops also set up to act as a WU agent, who might know the local scammers and be somewhat complicit (or bribed). Cleaning all of that up might be very costly for WU if it meant losing lots of their international outlets.

  9. Western Union itself warns people about scams. Trying to shift responsibility won’t help, but there is something more important here.

    Lets say I buy something and want to complete the exchange via WU. I wire the money, get the goods, then claim the person was a scammer. They can’t even make paypal and ebay work. There is likely more money in dispute there than scammed on any given day.

    Universities, or their staff, professors, employees, etc. can be negligent. So why not require the board of Regents, the Dean(s), and the professors or whomever to be PERSONALLY RESPONSIBLE when one of their students does something bad, e.g. pirate music or get some kind of weapon and kills a lot of people. And for every rape on campus. They can do more. They can turn the university into a supermax prison if necessary with the students in solitary cells with video monitors. Absurd? Why?

    There are also classic scams – but we don’t demand banks refund victims of “the pigeon drop”. For that matter we don’t even demand the Banksters that sold the toxic waste mortgage backed securities that destroyed the retirements of many Americans – far more than are scammed by Nigerians – to merely forego bailouts, though (William Black and others have documented) actual fraud occurred.

    I would not make Western Union responsible, however adopting the option to require IDs, or to send to a specific location, or something similar would help.

    Back in the old days of telephones, there was a station-to-station call, but also a person-to-person call. The latter cost more, but you didn’t pay if you didn’t get the person.